HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Delete Intrusion Record

 
SOLVED
Go to solution
LM_2
Frequent Advisor

Delete Intrusion Record

What is the proper syntax to delete an intrusion record - I have tried every imaginable combination to delete one and it just does not work - here is one of the intrustion records I had:

TERM_USER INTRUDER 27 13-JAN-2009 11:16:13.45 spduslis51.na.net.dana.com:LISROBSHIP on LISES1
11 REPLIES
Hoff
Honored Contributor

Re: Delete Intrusion Record

In the absence of commands and errors, the following is somewhat of a series of guesses...

http://h71000.www7.hp.com/doc/83final/9996/9996pro_55.html

For some cases, you may have to quote the source field portion of the string. The usual commands are:

DELETE /INTRUSION "whatsit"::whatever

or

DELETE /INTRUSION whatsit::whatever

Or you can use the /NODE qualifier.

The other thing that happens here is somebody erroneously creates a DELETE symbol with some qualifiers that (in the usual case) work on the DELETE file command, and that are not valid on the DELETE /INTRUSION command. That can be bypassed using the following:

DELETEX /INTRUSION whatsit::whatever

To bypass any DCL symbol for DELETE, add a character or two at the end of the DELETE command, such as the X shown above. (And don't mask verbs with symbols, as a general suggestion.)

Otherwise, please post up the command(s) and the full text of the error message(s) received with what you've tried here. The command might not work, but the command and the error might help us figure out what is going wrong here...

LM_2
Frequent Advisor

Re: Delete Intrusion Record

I have tried every imaginable combination - in quotes - not in quotes and I even try using just the /node option and I get the following every time:

%SECSRV-E-NOSUCHINTRUDER, no intruder or suspect matches your specification
LM_2
Frequent Advisor

Re: Delete Intrusion Record

Here are some I have tried:

del/intr "LISROBSHIP"
del/intr LISROBSHIP
del/intr "spduslis51.na.net.dana.com:LISROBSHIP"
del/intr spduslis51.na.net.dana.com:LISROBSHIP
EdgarZamora
Trusted Contributor
Solution

Re: Delete Intrusion Record

Maybe this won't do for your site, but I usually do a DELETE/INTR * to avoid all the frustration.
LM_2
Frequent Advisor

Re: Delete Intrusion Record

Well, I tried the * and I get an error message - not sure why - but it did clear it - so thank you - that will work:

LISA_ES2> show intr
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
TERM_USER SUSPECT 5 13-JAN-2009 12:26:28.70 spduslisl15.na.net.da
na.com:MORRIS on LISES2
LISA_ES2> del/intrusion_record *
%DCL-I-IGNQUAL, qualifiers appearing before this item were ignored
\INTRUSION_RECORD\
LISA_ES2> show intr
%SHOW-F-NOINTRUDERS, no intrusion records match specification
LM_2
Frequent Advisor

Re: Delete Intrusion Record

The delete/Intrusion_Record * works - I get an error message - but it seems to have cleared out the intrusion record so thanks a lot!
Hoff
Honored Contributor

Re: Delete Intrusion Record

Uh, Ok, so you'd like me to guess at what DCL commands you've tried? Ok. Not the most expeditious approach. It would be much easier if a sample of the failing commands and (if it's changed since you've posted that earlier sample) the target SHOW INTRUSION output were posted, though.

Here, I'd tend to expect:

DELETE /INTRUSION -
"spduslis51.na.net.dana.com":LISROBSHIP

would work on host LISES1::.

I'd neglected another case that can get involved here: the process parsing settings can also get involved here, particularly with lowercase characters.

What OpenVMS version and what IP stack?

There have been a few cases where weird intrusion records or hidden characters have gotten into the intrusion database over the years. Those get fixed with an OpenVMS ECO or (given this looks like an IP intrusion) via ECO or upgrade of whatever IP stack is in use here.
Hoff
Honored Contributor

Re: Delete Intrusion Record

Yikes, that's a few replies that snuck in there.

FWIW, there's your error -- look at where your quotes are in your:

del/intr "spduslis51.na.net.dana.com:LISROBSHIP"

Note where the documentation has:

delete /intrusion "whatsit"::whatever

The whole parameter string isn't quoted, just the source portion of the parameter string.
RBrown_1
Trusted Contributor

Re: Delete Intrusion Record

Did you notice that when you said

LISA_ES2> del/intrusion_record *

that you received this message:

%DCL-I-IGNQUAL, qualifiers appearing before this item were ignored
\INTRUSION_RECORD\

This means that you have a "del" symbol which could be confusing things.

$ SHOW SYMBOL DEL

Did you try the DELETEX trick that Hoff suggested?
Cass Witkowski
Trusted Contributor

Re: Delete Intrusion Record

Delete /int "*" work for us
Rich Hearn
Regular Advisor

Re: Delete Intrusion Record

Just another example:

CACHE1::DISK$INFSYS:[RJHEARN]_>
CACHE1::DISK$INFSYS:[RJHEARN]_>show intrusion
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK SUSPECT 1 4-FEB-2009 15:01:12.70 TELNET::0A43218D:111D
NETWORK SUSPECT 1 4-FEB-2009 14:58:02.56 TELNET::0A45212C:0D69
CACHE1::DISK$INFSYS:[RJHEARN]_>
CACHE1::DISK$INFSYS:[RJHEARN]_>
CACHE1::DISK$INFSYS:[RJHEARN]_>
CACHE1::DISK$INFSYS:[RJHEARN]_>deletee/intrus "TELNET::0A45212C:0D69"
CACHE1::DISK$INFSYS:[RJHEARN]_>show intrusion
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK SUSPECT 1 4-FEB-2009 15:01:12.70 TELNET::0A43218D:111D
CACHE1::DISK$INFSYS:[RJHEARN]_>show time
4-FEB-2009 14:57:40
CACHE1::DISK$INFSYS:[RJHEARN]_>

Rich